Andy Ful

Level 60
Verified
Trusted
Content Creator
...
To me, delivery is not exploitation, exploitation is the act of abusing a vulnerability. Eternal Blue is an kernel exploit, it abuse a vulnerability.
Default-deny tools (anti-exe, etc...) don't prevent exploitation of vulnerabilities.
The only thing they can do, is they will prevent (as you said) either delivery of the exploit or the post-exploitation part of the attack chain (like abusing rundll32.exe, etc....)

Anti-Exploit software are HMPA, MBAE, Windows 10 Exploit Protection and some components in suites, which can prevent exploitation of vulnerabilities, which occurs most of the time via memory attacks.

There is no such thing as "basic anti-exploit", this is just marketing shenanigans made by some vendors to make their solutions more appealing. And many fall for it and parrot it across boards, so unaware people believe that your so-called basic anti-exploit (aka Default-Deny) will protect them from in-memory REAL exploits/attacks.
That is correct. OSA does not detect exploiting methods, so it cannot be an anti-exploit software. But still, it is the software with several anti-malware and anti-exploit prevention abilities.
 
Last edited:

Andy Ful

Level 60
Verified
Trusted
Content Creator
Almost certainly.
But the important thing is that it has stopped the DEP Exploit Test which is not blocked by MBAE.
This is interesting to me.;)
"This test allocates a piece of non-executable memory on the heap and copies shellcode to start calc.exe
to this memory. Then it jumps to that shellcode. This will trigger a DEP exception which, in case of
HitmanPro.Alert, will be intercepted."
Like several methods in this test, it is constructed from two parts: Exploiting method + executing the payload

HitmanPro will detect and block the exploiting method - this is what anti-exploit should do.
OSA will block the payload execution, as post-exploitation (post-infection) prevention.
 
F

ForgottenSeer 823865

HitmanPro will detect and block the exploiting method - this is what anti-exploit should do.
OSA will block the payload execution, as post-exploitation (post-infection) prevention.
You found the right sentencing ;)

More people should be aware of the distinction and don't misunderstand/mix them. Reason i'm quite irritated by some vendors knowingly doing it for marketing purposes, hence misleading unaware users.

"stopping a bullet isn't same as putting a bandage on its wound"
 
Last edited by a moderator:

Sampei Nihira

Level 6
Verified
Ah, you are always here discussing OSA !! :)
Well, it means that the software is interesting.
In fact, I use it together with MBAE.

But in the other PC the security configuration and even the browser are different.
So the security configuration would be different if I had another pc.
This diversity would be an additional protection for all PCs.
 
F

ForgottenSeer 823865

It is what i like with NVT, they stick to the purpose of the product whatever it is ERP, OSA, or SOB. not bloating them with unneeded features, so they keep being efficient and doesn't require much maintenance.


If I was still on Windows 10 Home, OSA would be part on my security setup.
Even on Windows 10 Ent, I miss using it, the custom rules implementation is way too good and efficient.
 

Gandalf_The_Grey

Level 31
Verified
Hello guys, hope all of you are fine during this particular situation.

Just wanted to let you know about some updates:

We've been working the past 8+ months on cloud-based services, such as APIVoid - a service that offers JSON APIs for threat analysis and detection, more information here:
Threat Analysis APIs for Threat Detection & Prevention | APIVoid

We're now back on track but to keep up with software development (time, code sign, certificates, servers, testings, fixes, updates, etc) we'll change a few things, one of which is that OSArmor and other software will become subscription-based.

The new version of OSArmor will be available soon for subscribed users.

We've mostly finished working in the auto-update of OSArmor so it will safely update to new versions automatically without user intervention. Plus we've added options to update CustomBlock.db and Exclusions.db rules from a remote URL, that should be useful to companies.

I'll have some updates on this soon (no parallel projects now so we're working on these changes full time).

We have other good news, but lets first complete this "phase 1".

Will keep you updated here regularly.

A copy paste of Andreas post at Wilders.

Sad to see that OSArmor and other software will be subscription-based from now on.
 
Last edited:

blackice

Level 27
Verified

A copy past of Andreas post at Wilders.

Sad to see that OSArmor and other software will be subscription-based from now on.
Honestly it is a quality piece of software and I don’t mind paying him for his work if the price is reasonable.
 

plat1098

Level 20
Verified
He didn't post this info over here, only at Wilders so far. :(
I don't know what to do right now. There is H_C, of course and if I could donate, I would instantly. But if one is used to OSArmor as a freeware....

Let's see how much he will ask as a subscription fee. I have a limit in mind already.
 

EndangeredPootis

Level 6
Verified
I wouldn't like to pay for this kind of development, how long time all about OSArmor was quiet and now after almost two years he decide to inform users what is going on from now, that isn't much user friendly at least from my point of view...
Everyone, including all of us, have lives, sometimes a family, to take care of, it isnt really all that weird for developers to go quiet for a while.
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
@Gandalf_The_Grey

Thanks for sharing the post here.

Just including below the two images from the post at wilders:

osarmor-new.png


changelog.png


@silversurfer @plat1098

Totally understand your points and that's fine.

We've had to handle many things happening during the past year (good and bad) and we had to lower the freeware software development.

Subscription pricing for home users will be definitely reasonable.

I will post updates here too regularly.
 

upnorth

Level 44
Verified
Trusted
Content Creator
Malware Hunter
Everyone, including all of us, have lives, sometimes a family, to take care of, it isnt really all that weird for developers to go quiet for a while.
I agree with @silversurfer on this. Developers can also talk as everyone else and give information. Say nada/nothing for that extrem long time period don't really create the keyfactor, trust. Personal I would and will avoid this tool.
 
Top